SlideShare ist ein Scribd-Unternehmen logo
1 von 9
Downloaden Sie, um offline zu lesen
The Web
Hacking
Incidents
Database
                                                     2007
This report was prepared by Ofer Shezaf and Breach      Annual
Security Labs team.
                                                        Report
The Web Hacking Incidents Database                                                        2007

                A BOUT T HE W EB H ACKING I NCIDENTS
                D ATABASE
                The web hacking incident database (WHID) is a Web Application Security
                Consortium project dedicated to maintaining a list of web application-related
                security incidents. The WHID’s purpose is to serve as a tool for raising
                awareness of the web application security problem and provide information for
                statistical analysis of web application security incidents.

                The WHID is unique in focusing on impact of the attack rather than on the
                technical aspects of the attack. To be included in WHID an incident must be
                publicly reported, be associated with web application security vulnerabilities
                and have an identified outcome.

                For further information about the Web Hacking Incidents Database refer to
                http://www.webappsec.org/projects/whid/.

                R ELATED R ESEARCH W ORK
                Many projects such as Bugtraq, XSSed and the Web Applications Security
                Consortium’s Statistics Project track vulnerabilities in software or in web sites.
                However, vulnerabilities present only one dimension of the problem as they
                tend to be described in technical terms. Real-world incidents on the other hand
                provide us with additional information that enables research into actual trends
                in the hacking world such as the types of organizations attacked, the
                motivation behind the attacks and the sources of the attacks.

                Another project that collects information about real-world web hacking
                incidents is zone-h. While zone-h is more comprehensive and includes a large
                number of incidents, the majority of these are random hacks, something which
                shadows other types of attack. By excluding random attacks, WHID can provide
                a better tool for analyzing targeted non-random attacks on web sites.

                The unique value in tracking targeted web incidents is that it allows measuring
                the actual effect of the incidents, transferring research from the technology
                domain to the business impact domain. In order to manage risk, one needs to
                understand the potential business impact as opposed to technical failure. This
                makes WHID the right tool for making business decisions concerning website
                security.

                O NLY T HE T IP OF T HE I CEBERG
                Since the criteria for inclusion of incidents in the WHID are restricting by
                definition, the number of incidents that are included is not very large - only 80
                incidents made it to the database this year. Therefore the analysis in this
                document is based on relative percentage rather than on absolute numbers.
                We also significantly enhanced the database this year, and have not upgraded



                2
The Web Hacking Incidents Database                                                        2007

                historical records to the same level, so year-over-year analysis is not yet
                available.



                A BOUT T HIS R EPORT
                The WHID has 237 entries of events occurring from 1999 until 2007. However,
                the inclusion criteria were changed in 2006 and additional attributes such as
                incident outcome and type of organization attacked where added in 2007. To
                date, only incidents for 2007 have been adjusted to the new criteria, so until
                the historical data is adjusted, year-over-year analysis is not possible. The
                current report, therefore, focuses on 2007 alone.

                For each incident the WHID views attributes from many different angles:

                    •    Attack Method – The technical vulnerability exploited by the attacker
                         to perform the hack.
                    •    Outcome – the real-world result of the attack.
                    •    Country – the country in which the attacked web site (or owning
                         organization) resides.
                    •    Origin – the country from which the attack was launched.
                    •    Vertical – the field of operation of the organization that was attacked.

                The analysis in this paper is based on all of the above attributes, apart from
                origin and country. Information regarding the origin of attacks was too scarce
                for meaningful analysis. The contributors to the WHID tend to come more from
                English-speaking countries, presumably, because of the English-language
                interface of the WHID. This gives a leaning towards incidents in these countries
                rather than a world status.

                In this report we try to cover the following issues:

                    •    The drivers, business or other, behind Web hacking.
                    •    The vulnerabilities hackers exploit.
                    •    The types of organizations attacked most often.




                3
The Web Hacking Incidents Database                                                             2007


                            W HAT ARE THE D RIVERS FOR W EB
                            H ACKING ?
                            H ACK ING F OR P ROFIT
                            The first question we confronted was why do people hack? It seems that the
                            answers lie in very different areas of the spectrum. On the capitalistic side, an
                            overwhelming number of incidents - more than 40% - are aimed at stealing
                            personal information. Such ‘personal records’ are easily traded on the internet
                            and therefore are the easiest virtual commodity to exchange for money.


Attack Goal           %
 Stealing Sensitive   42%
 Information
 Defacement           23%
 Planting Malware     15%
 Unknown              8%
 Deceit               3%
 Blackmail            3%
 Link Spam            3%
 Worm                 1%
 Phishing             1%
 Information          1%
                                                          F IGURE 1 - I NCIDENT   BY OUTCOME
 Warfare
                            Two other ways in which crooks exploit web sites to gain money are the
                            planting of malware and the adding of link spam to Web pages. The first
                            demonstrates the role of web application hacks in the ever growing client
                            security problem: by adding malicious code to the attacked web sites the
                            attackers convert hacked web sites to a primary method of distributing viruses,
                            Trojans and root kits. They are replacing e-mails as the preferred delivery
                            method.

                            Link spam, a fast-rising threat, builds on the success of the “grey-hat” comment
                            spam attack by adding links to pages. These links are meant to raise the
                            popularity of the web site they point to and raise their position in search
                            engines. But, unlike comment spam attacks that add links by posting spam
                            comments, Link Spam, the “black-hat” version achieves this by changing pages
                            on the attacked sites directly.

                            Together with blackmail, deceit and phishing the “for profit” attacks amount to
                            67% of all reported attacks.




                            4
The Web Hacking Incidents Database                                                     2007

                To measure the actual damage caused by incidents we analyzed how many
                personal records were stolen in each incident. We found that, in the majority of
                incidents, a few thousand records were stolen.




                F IGURE 2 - N UMBER   OF INCIDENTS BY NUMBER OF RECORDS LEAKING


                I DEOLOGICAL H A CKING
                On the other end of the spectrum, the ideologists use the internet to convey
                their message using Web hacking. Their main vehicle is defacing web sites.
                When further analyzing defacement incidents, we found that 50% were of a
                political nature, targeting political parties, candidates and government
                departments, often with a very specific message related to a campaign. Others
                have a cultural aspect, mainly Islamic hackers defacing western web sites.

                In order to concentrate on the impact of incidents, the WHID does not include
                most web site defacements, such as those covered by zone-h, as they are
                random attacks with relatively low impact. We do, however, include
                defacement incidents that carry a greater significance. We consider an incident
                significant mainly based on who the victim was and, in some cases, how the
                attack was done. We also require the defacement to be reported publicly and
                not just by the hacker.




                5
The Web Hacking Incidents Database                                                                     2007




                                   W HAT V ULNERABILITIES DO H ACKERS
                                   U SE ?
                                   Cross Site Scripting (XSS) has dominated the WHID since its inception. This
                                   result is echoed in other research projects: XSS is the most common
                                   vulnerability found by pen testers according to the Web Application Security
                                   Consortium’s Statistics Project and tops the OWASP top 10 2007 release.

                                   However, this year we focused our research by monitoring actual security
                                   incidents and not vulnerabilities. Incidents are security breaches in which
                                   hackers actually exploited a vulnerable web site whereas vulnerabilities only
                                   report that a web site could be exploited. Actual security breaches are more
                                   significant as they indicate both that a vulnerable web site is exploitable and
                                   that hackers have an interest, financial or other, in exploiting it.


Attack/Vulnerability         %
Used
SQL Injection                20%                             A3
                                                                   A5
                                                                                                   A2
Unintentional                17%
Information Disclosure
Known Vulnerability          15%                    A4
                                                                                                             A6
Cross Site Scripting (XSS)   12%
                                              A7
Insufficient Access          10%
Control
Credential/Session           8%
Prediction
OS Commanding                3%
                                                             A1
Misconfiguration             3%
Insufficient Anti-           3%                                                    A10, 2004 Version
automation
Denial of Service            3%                                F IGURE 3 -I NCIDENT BY ATTACK METHOD
Redirection                  2%                          (“A” LABELS REFER TO THE OWASP TOP 10 POSITION )

Insufficient Session         2%
Expiration
Cross Site Request           2%
Forgery (CSRF)


                                   When focusing on incidents rather than vulnerabilities, we found that SQL
                                                                                                                     th
                                   injection attacks top the list with 20% of the incidents. XSS attacks were only 4
                                   with 12%. It seems that while it is easier to find XSS vulnerabilities as the
                                   vulnerability is reflected to the client, it is somewhat harder to take advantage
                                   of them.

                                   6
The Web Hacking Incidents Database                                                        2007

                It is interesting to note that nearly one third of the attacks abused operational
                mistakes rather than programming mistakes. Unintentionally publishing
                information online seems to be a huge problem which indicates that content
                management and maintenance procedures are not up to the standards
                required to maintain a secure site.

                Another operational issue high on the list is known vulnerabilities. The broad
                exploit of known vulnerabilities suggests that regular patching is not performed
                in many web sites. This may be due to a lack of understanding of the
                importance of regular patching by system administrators. On the other hand, it
                might be reluctance to patch due to the operational risk and the time cost of
                patching, especially given the frequency of security patches in recent years. As
                a result it might be advisable to explore alternative patching strategies such as
                virtual patching which employs an external control to patch rather than
                requiring a software change.

                While operational issues, which lost their position on the OWASP top 10, are
                widely exploited, some top OWASP top 10 vulnerabilities such as Cross Site
                Request Forgery (CSRF) and malicious file execution are not as widely
                exploited. Specifically, CSRF vulnerabilities are easy to detect and appear in
                many web sites are not yet widely exploited.

                The table displayed above hides one important factor - the unknown. 29%
                percent of the incidents reported where reported without specifying the attack
                method. In many cases we feel that this lack of disclosure, apart from skewing
                statistics, prevents the fixing of the root cause of the problem. This is most
                noticeable in malware-planting incidents, in which the focus of the remediation
                process is removing the malware from the site rather than fixing the
                vulnerabilities that enabled attackers to gain access in the first place.

                But probably the main lesson is that we know too little. With so little
                information about real-world attacks, threat modeling requires collecting
                information from many different sources, each providing a partial and perhaps
                even biased view.

                W HICH T YPES O F O RGA NIZATIONS                    ARE   A TTACKED
                M OST O FTEN ?
                Another aspect we looked into is the type of organizations attackers choose as
                targets. We found out that the largest category of hacked organizations is
                government and related organizations. With education in second place, it
                appears that the non-commercial sector represents the primary target for
                hackers. Government is a prime target due to ideological reasons while
                universities are more open than other organizations. These statistics, however,
                are, to a degree, biased as the public disclosure requirements of government
                and other public organizations are much broader than those of commercial
                organizations.

                7
The Web Hacking Incidents Database                                                           2007


Vertical        %
  Government    16%
  Departments
  Education     15%
  Retail        12%
  Media         12%
  Service       8%
  Providers
  Security &    8%
  Law
  Enforcement
  Internet      8%
  Technology    5%
  Politics      5%
                                              F IGURE 4 - I NCIDENT BY ATTACK   ORGANIZATION TYPE
  Finance       5%
  Sports        3%
  Health        3%


                       On the commercial side, internet-related organizations top the list. This group
                       includes retail shops, comprising mostly e-commerce sites, media companies
                       and pure internet services such as search engines and service providers. It
                       seems that these companies do not compensate for the higher exposure they
                       incur, with the proper security procedures.

                       Financial institutes, on the other hand, are much lower on the list than one
                       would expect. Two possible explanations are that they have better security
                       measurements in place and that they disclose less.




                       8
The Web Hacking Incidents Database                                                          2007


                S UMMARY
                While financial gain is certainly a big driver for web hacking, ideological hacking
                cannot be ignored. Especially government and other non for profit organization
                suffer from ideological hacking. Internet related organizations, especially
                hosting providers, are suffering from more and more serious for profit hacking
                incidents. Financial organizations are either less vulnerable or disclose less.

                As far as real-world hacking is concerned we are still at the basics. While
                researchers are exploring ever more advanced attacks such as CSRF, hackers
                are still successfully exploiting the most basic application layer vulnerabilities
                such as SQL injection or information left accidentally in the open.

                While we have not seen a staggering increase in the number of reported
                attacks, we do see a clear and increasing trend upwards. We must also keep in
                mind that only the tip of the iceberg is reported.




                F IGURE 5 - 2007 I NCIDENTS PER MONTH




                9

Weitere ähnliche Inhalte

Was ist angesagt?

TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportSymantec
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
cybercrime survival guide
cybercrime survival guidecybercrime survival guide
cybercrime survival guideGary Gray, MCSE
 
Security troubles in e commerce website
Security troubles in e commerce websiteSecurity troubles in e commerce website
Security troubles in e commerce websiteDr. Raghavendra GS
 
Symantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec
 
Global Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosGlobal Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosHaltdos
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017Dryden Geary
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceMehrdad Jingoism
 
proofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperproofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperKen Spencer Brown
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015CheapSSLUSA
 
Financial Institutions, Merchants, and the Race Against Cyberthreats
Financial Institutions, Merchants, and the  Race Against CyberthreatsFinancial Institutions, Merchants, and the  Race Against Cyberthreats
Financial Institutions, Merchants, and the Race Against CyberthreatsEMC
 
Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Group-IB
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoJonas Mercier
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
Countering Cyber Threats By Monitoring “Normal” Website Behavior
Countering Cyber Threats By Monitoring “Normal” Website BehaviorCountering Cyber Threats By Monitoring “Normal” Website Behavior
Countering Cyber Threats By Monitoring “Normal” Website BehaviorEMC
 

Was ist angesagt? (20)

TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10
 
cybercrime survival guide
cybercrime survival guidecybercrime survival guide
cybercrime survival guide
 
Security troubles in e commerce website
Security troubles in e commerce websiteSecurity troubles in e commerce website
Security troubles in e commerce website
 
Symantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence Report
 
Global Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosGlobal Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDos
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017
 
Digital Threat Landscape
Digital Threat LandscapeDigital Threat Landscape
Digital Threat Landscape
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissance
 
proofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperproofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paper
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of Stealing
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015
 
Financial Institutions, Merchants, and the Race Against Cyberthreats
Financial Institutions, Merchants, and the  Race Against CyberthreatsFinancial Institutions, Merchants, and the  Race Against Cyberthreats
Financial Institutions, Merchants, and the Race Against Cyberthreats
 
Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Ransomware Gang Masquerades as Real Company to Recruit Tech Talent
Ransomware Gang Masquerades as Real Company to Recruit Tech TalentRansomware Gang Masquerades as Real Company to Recruit Tech Talent
Ransomware Gang Masquerades as Real Company to Recruit Tech Talent
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemalto
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
 
Countering Cyber Threats By Monitoring “Normal” Website Behavior
Countering Cyber Threats By Monitoring “Normal” Website BehaviorCountering Cyber Threats By Monitoring “Normal” Website Behavior
Countering Cyber Threats By Monitoring “Normal” Website Behavior
 

Andere mochten auch

Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking databaseimthebeginner
 
Webinar Gratuito: "JavaScript para Hacking Web"
Webinar Gratuito: "JavaScript para Hacking Web"Webinar Gratuito: "JavaScript para Hacking Web"
Webinar Gratuito: "JavaScript para Hacking Web"Alonso Caballero
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKINGSHERALI445
 
Big-Data in HealthCare _ Overview
Big-Data in HealthCare _ OverviewBig-Data in HealthCare _ Overview
Big-Data in HealthCare _ OverviewHamdaoui Younes
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalAleyda Solís
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 

Andere mochten auch (11)

Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking database
 
Webinar Gratuito: "JavaScript para Hacking Web"
Webinar Gratuito: "JavaScript para Hacking Web"Webinar Gratuito: "JavaScript para Hacking Web"
Webinar Gratuito: "JavaScript para Hacking Web"
 
Bluejacking
BluejackingBluejacking
Bluejacking
 
Bluejacking
BluejackingBluejacking
Bluejacking
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Big-Data in HealthCare _ Overview
Big-Data in HealthCare _ OverviewBig-Data in HealthCare _ Overview
Big-Data in HealthCare _ Overview
 
Crystallography
CrystallographyCrystallography
Crystallography
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigital
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Ähnlich wie The Web Hacking Incidents Database Annual

WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)Jeremiah Grossman
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?Samvel Gevorgyan
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Ce hv8 module 13 hacking web applications
Ce hv8 module 13 hacking web applications Ce hv8 module 13 hacking web applications
Ce hv8 module 13 hacking web applications Mehrdad Jingoism
 
Malware Problem Analysis Paper.pdfMalware Problem Analysis Paper
Malware Problem Analysis Paper.pdfMalware Problem Analysis PaperMalware Problem Analysis Paper.pdfMalware Problem Analysis Paper
Malware Problem Analysis Paper.pdfMalware Problem Analysis PaperSarah Jimenez
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersUnited Security Providers AG
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
CYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfCYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfKrishna N
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersJaime Manteiga
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018malvvv
 
Cybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connectionCybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connectionESET Middle East
 

Ähnlich wie The Web Hacking Incidents Database Annual (20)

WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Ce hv8 module 13 hacking web applications
Ce hv8 module 13 hacking web applications Ce hv8 module 13 hacking web applications
Ce hv8 module 13 hacking web applications
 
Malware Problem Analysis Paper.pdfMalware Problem Analysis Paper
Malware Problem Analysis Paper.pdfMalware Problem Analysis PaperMalware Problem Analysis Paper.pdfMalware Problem Analysis Paper
Malware Problem Analysis Paper.pdfMalware Problem Analysis Paper
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security Providers
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
CYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfCYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdf
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018
 
Cybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connectionCybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connection
 

Kürzlich hochgeladen

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 

Kürzlich hochgeladen (20)

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 

The Web Hacking Incidents Database Annual

  • 1. The Web Hacking Incidents Database 2007 This report was prepared by Ofer Shezaf and Breach Annual Security Labs team. Report
  • 2. The Web Hacking Incidents Database 2007 A BOUT T HE W EB H ACKING I NCIDENTS D ATABASE The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web application-related security incidents. The WHID’s purpose is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web application security incidents. The WHID is unique in focusing on impact of the attack rather than on the technical aspects of the attack. To be included in WHID an incident must be publicly reported, be associated with web application security vulnerabilities and have an identified outcome. For further information about the Web Hacking Incidents Database refer to http://www.webappsec.org/projects/whid/. R ELATED R ESEARCH W ORK Many projects such as Bugtraq, XSSed and the Web Applications Security Consortium’s Statistics Project track vulnerabilities in software or in web sites. However, vulnerabilities present only one dimension of the problem as they tend to be described in technical terms. Real-world incidents on the other hand provide us with additional information that enables research into actual trends in the hacking world such as the types of organizations attacked, the motivation behind the attacks and the sources of the attacks. Another project that collects information about real-world web hacking incidents is zone-h. While zone-h is more comprehensive and includes a large number of incidents, the majority of these are random hacks, something which shadows other types of attack. By excluding random attacks, WHID can provide a better tool for analyzing targeted non-random attacks on web sites. The unique value in tracking targeted web incidents is that it allows measuring the actual effect of the incidents, transferring research from the technology domain to the business impact domain. In order to manage risk, one needs to understand the potential business impact as opposed to technical failure. This makes WHID the right tool for making business decisions concerning website security. O NLY T HE T IP OF T HE I CEBERG Since the criteria for inclusion of incidents in the WHID are restricting by definition, the number of incidents that are included is not very large - only 80 incidents made it to the database this year. Therefore the analysis in this document is based on relative percentage rather than on absolute numbers. We also significantly enhanced the database this year, and have not upgraded 2
  • 3. The Web Hacking Incidents Database 2007 historical records to the same level, so year-over-year analysis is not yet available. A BOUT T HIS R EPORT The WHID has 237 entries of events occurring from 1999 until 2007. However, the inclusion criteria were changed in 2006 and additional attributes such as incident outcome and type of organization attacked where added in 2007. To date, only incidents for 2007 have been adjusted to the new criteria, so until the historical data is adjusted, year-over-year analysis is not possible. The current report, therefore, focuses on 2007 alone. For each incident the WHID views attributes from many different angles: • Attack Method – The technical vulnerability exploited by the attacker to perform the hack. • Outcome – the real-world result of the attack. • Country – the country in which the attacked web site (or owning organization) resides. • Origin – the country from which the attack was launched. • Vertical – the field of operation of the organization that was attacked. The analysis in this paper is based on all of the above attributes, apart from origin and country. Information regarding the origin of attacks was too scarce for meaningful analysis. The contributors to the WHID tend to come more from English-speaking countries, presumably, because of the English-language interface of the WHID. This gives a leaning towards incidents in these countries rather than a world status. In this report we try to cover the following issues: • The drivers, business or other, behind Web hacking. • The vulnerabilities hackers exploit. • The types of organizations attacked most often. 3
  • 4. The Web Hacking Incidents Database 2007 W HAT ARE THE D RIVERS FOR W EB H ACKING ? H ACK ING F OR P ROFIT The first question we confronted was why do people hack? It seems that the answers lie in very different areas of the spectrum. On the capitalistic side, an overwhelming number of incidents - more than 40% - are aimed at stealing personal information. Such ‘personal records’ are easily traded on the internet and therefore are the easiest virtual commodity to exchange for money. Attack Goal % Stealing Sensitive 42% Information Defacement 23% Planting Malware 15% Unknown 8% Deceit 3% Blackmail 3% Link Spam 3% Worm 1% Phishing 1% Information 1% F IGURE 1 - I NCIDENT BY OUTCOME Warfare Two other ways in which crooks exploit web sites to gain money are the planting of malware and the adding of link spam to Web pages. The first demonstrates the role of web application hacks in the ever growing client security problem: by adding malicious code to the attacked web sites the attackers convert hacked web sites to a primary method of distributing viruses, Trojans and root kits. They are replacing e-mails as the preferred delivery method. Link spam, a fast-rising threat, builds on the success of the “grey-hat” comment spam attack by adding links to pages. These links are meant to raise the popularity of the web site they point to and raise their position in search engines. But, unlike comment spam attacks that add links by posting spam comments, Link Spam, the “black-hat” version achieves this by changing pages on the attacked sites directly. Together with blackmail, deceit and phishing the “for profit” attacks amount to 67% of all reported attacks. 4
  • 5. The Web Hacking Incidents Database 2007 To measure the actual damage caused by incidents we analyzed how many personal records were stolen in each incident. We found that, in the majority of incidents, a few thousand records were stolen. F IGURE 2 - N UMBER OF INCIDENTS BY NUMBER OF RECORDS LEAKING I DEOLOGICAL H A CKING On the other end of the spectrum, the ideologists use the internet to convey their message using Web hacking. Their main vehicle is defacing web sites. When further analyzing defacement incidents, we found that 50% were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign. Others have a cultural aspect, mainly Islamic hackers defacing western web sites. In order to concentrate on the impact of incidents, the WHID does not include most web site defacements, such as those covered by zone-h, as they are random attacks with relatively low impact. We do, however, include defacement incidents that carry a greater significance. We consider an incident significant mainly based on who the victim was and, in some cases, how the attack was done. We also require the defacement to be reported publicly and not just by the hacker. 5
  • 6. The Web Hacking Incidents Database 2007 W HAT V ULNERABILITIES DO H ACKERS U SE ? Cross Site Scripting (XSS) has dominated the WHID since its inception. This result is echoed in other research projects: XSS is the most common vulnerability found by pen testers according to the Web Application Security Consortium’s Statistics Project and tops the OWASP top 10 2007 release. However, this year we focused our research by monitoring actual security incidents and not vulnerabilities. Incidents are security breaches in which hackers actually exploited a vulnerable web site whereas vulnerabilities only report that a web site could be exploited. Actual security breaches are more significant as they indicate both that a vulnerable web site is exploitable and that hackers have an interest, financial or other, in exploiting it. Attack/Vulnerability % Used SQL Injection 20% A3 A5 A2 Unintentional 17% Information Disclosure Known Vulnerability 15% A4 A6 Cross Site Scripting (XSS) 12% A7 Insufficient Access 10% Control Credential/Session 8% Prediction OS Commanding 3% A1 Misconfiguration 3% Insufficient Anti- 3% A10, 2004 Version automation Denial of Service 3% F IGURE 3 -I NCIDENT BY ATTACK METHOD Redirection 2% (“A” LABELS REFER TO THE OWASP TOP 10 POSITION ) Insufficient Session 2% Expiration Cross Site Request 2% Forgery (CSRF) When focusing on incidents rather than vulnerabilities, we found that SQL th injection attacks top the list with 20% of the incidents. XSS attacks were only 4 with 12%. It seems that while it is easier to find XSS vulnerabilities as the vulnerability is reflected to the client, it is somewhat harder to take advantage of them. 6
  • 7. The Web Hacking Incidents Database 2007 It is interesting to note that nearly one third of the attacks abused operational mistakes rather than programming mistakes. Unintentionally publishing information online seems to be a huge problem which indicates that content management and maintenance procedures are not up to the standards required to maintain a secure site. Another operational issue high on the list is known vulnerabilities. The broad exploit of known vulnerabilities suggests that regular patching is not performed in many web sites. This may be due to a lack of understanding of the importance of regular patching by system administrators. On the other hand, it might be reluctance to patch due to the operational risk and the time cost of patching, especially given the frequency of security patches in recent years. As a result it might be advisable to explore alternative patching strategies such as virtual patching which employs an external control to patch rather than requiring a software change. While operational issues, which lost their position on the OWASP top 10, are widely exploited, some top OWASP top 10 vulnerabilities such as Cross Site Request Forgery (CSRF) and malicious file execution are not as widely exploited. Specifically, CSRF vulnerabilities are easy to detect and appear in many web sites are not yet widely exploited. The table displayed above hides one important factor - the unknown. 29% percent of the incidents reported where reported without specifying the attack method. In many cases we feel that this lack of disclosure, apart from skewing statistics, prevents the fixing of the root cause of the problem. This is most noticeable in malware-planting incidents, in which the focus of the remediation process is removing the malware from the site rather than fixing the vulnerabilities that enabled attackers to gain access in the first place. But probably the main lesson is that we know too little. With so little information about real-world attacks, threat modeling requires collecting information from many different sources, each providing a partial and perhaps even biased view. W HICH T YPES O F O RGA NIZATIONS ARE A TTACKED M OST O FTEN ? Another aspect we looked into is the type of organizations attackers choose as targets. We found out that the largest category of hacked organizations is government and related organizations. With education in second place, it appears that the non-commercial sector represents the primary target for hackers. Government is a prime target due to ideological reasons while universities are more open than other organizations. These statistics, however, are, to a degree, biased as the public disclosure requirements of government and other public organizations are much broader than those of commercial organizations. 7
  • 8. The Web Hacking Incidents Database 2007 Vertical % Government 16% Departments Education 15% Retail 12% Media 12% Service 8% Providers Security & 8% Law Enforcement Internet 8% Technology 5% Politics 5% F IGURE 4 - I NCIDENT BY ATTACK ORGANIZATION TYPE Finance 5% Sports 3% Health 3% On the commercial side, internet-related organizations top the list. This group includes retail shops, comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. It seems that these companies do not compensate for the higher exposure they incur, with the proper security procedures. Financial institutes, on the other hand, are much lower on the list than one would expect. Two possible explanations are that they have better security measurements in place and that they disclose less. 8
  • 9. The Web Hacking Incidents Database 2007 S UMMARY While financial gain is certainly a big driver for web hacking, ideological hacking cannot be ignored. Especially government and other non for profit organization suffer from ideological hacking. Internet related organizations, especially hosting providers, are suffering from more and more serious for profit hacking incidents. Financial organizations are either less vulnerable or disclose less. As far as real-world hacking is concerned we are still at the basics. While researchers are exploring ever more advanced attacks such as CSRF, hackers are still successfully exploiting the most basic application layer vulnerabilities such as SQL injection or information left accidentally in the open. While we have not seen a staggering increase in the number of reported attacks, we do see a clear and increasing trend upwards. We must also keep in mind that only the tip of the iceberg is reported. F IGURE 5 - 2007 I NCIDENTS PER MONTH 9